summaryrefslogtreecommitdiff
path: root/provider_base/services
diff options
context:
space:
mode:
Diffstat (limited to 'provider_base/services')
-rw-r--r--provider_base/services/_couchdb_master.json8
-rw-r--r--provider_base/services/_couchdb_mirror.json21
-rw-r--r--provider_base/services/_couchdb_multimaster.json24
-rw-r--r--provider_base/services/couchdb.json24
-rw-r--r--provider_base/services/couchdb.rb60
-rw-r--r--provider_base/services/monitor.json6
-rw-r--r--provider_base/services/mx.json15
-rw-r--r--provider_base/services/obfsproxy.json9
-rw-r--r--provider_base/services/openvpn.json7
-rw-r--r--provider_base/services/webapp.json23
10 files changed, 166 insertions, 31 deletions
diff --git a/provider_base/services/_couchdb_master.json b/provider_base/services/_couchdb_master.json
new file mode 100644
index 00000000..20c6f99b
--- /dev/null
+++ b/provider_base/services/_couchdb_master.json
@@ -0,0 +1,8 @@
+//
+// Applied to master couchdb node when there is a single master
+//
+{
+ "couch": {
+ "mode": "master"
+ }
+} \ No newline at end of file
diff --git a/provider_base/services/_couchdb_mirror.json b/provider_base/services/_couchdb_mirror.json
new file mode 100644
index 00000000..6a3402bd
--- /dev/null
+++ b/provider_base/services/_couchdb_mirror.json
@@ -0,0 +1,21 @@
+//
+// Applied to all non-master couchdb nodes
+//
+{
+ "stunnel": {
+ "clients": {
+ "couch_client": "= stunnel_client(nodes[couch.replication.masters.keys], couch.port)"
+ }
+ },
+ "couch": {
+ "mode": "mirror",
+ "replication": {
+ // for now, pick the first close one, or the first one.
+ // in the future, maybe use haproxy to balance among all the masters
+ "masters": "= try{pick_node(:couch_master,nodes_near_me['services' => 'couchdb']['couch.master' => true]).pick_fields('domain.internal', 'couch.port')} || try{pick_node(:couch_master,nodes_like_me['services' => 'couchdb']['couch.master' => true]).pick_fields('domain.internal', 'couch.port')}",
+ "username": "replication",
+ "password": "= secret :couch_replication_password",
+ "role": "replication"
+ }
+ }
+}
diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json
new file mode 100644
index 00000000..8c433188
--- /dev/null
+++ b/provider_base/services/_couchdb_multimaster.json
@@ -0,0 +1,24 @@
+//
+// Only applied to master couchdb nodes when there are multiple masters
+//
+{
+ "stunnel": {
+ "servers": {
+ "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
+ "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)"
+ },
+ "clients": {
+ "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.epmd_port)",
+ "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.ednp_port)"
+ }
+ },
+ "couch": {
+ "mode": "multimaster",
+ "bigcouch": {
+ "epmd_port": 4369,
+ "ednp_port": 9002,
+ "cookie": "= secret :bigcouch_cookie",
+ "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.master' => true].exclude(self).field('domain.full')"
+ }
+ }
+}
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index 5f1b5381..8b1386f8 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -3,20 +3,13 @@
"use": true
},
"stunnel": {
- "couch_server": "= stunnel_server(couch.port)",
- "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
- "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
- "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
- "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
+ "servers": {
+ "couch_server": "= stunnel_server(couch.port)"
+ }
},
"couch": {
+ "master": false,
"port": 5984,
- "bigcouch": {
- "epmd_port": 4369,
- "ednp_port": 9002,
- "cookie": "= secret :bigcouch_cookie",
- "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
- },
"users": {
"admin": {
"username": "admin",
@@ -47,10 +40,15 @@
"username": "webapp",
"password": "= secret :couch_webapp_password",
"salt": "= hex_secret :couch_webapp_password_salt, 128"
+ },
+ "replication": {
+ "username": "replication",
+ "password": "= secret :couch_replication_password",
+ "salt": "= hex_secret :couch_replication_password_salt, 128"
}
},
- "webapp": {
- "nagios_test_pw": "= secret :nagios_test_password"
+ "webapp": {
+ "nagios_test_pw": "= secret :nagios_test_password"
}
}
}
diff --git a/provider_base/services/couchdb.rb b/provider_base/services/couchdb.rb
new file mode 100644
index 00000000..3bee3a67
--- /dev/null
+++ b/provider_base/services/couchdb.rb
@@ -0,0 +1,60 @@
+#######################################################################
+###
+### NOTE!
+###
+### Currently, mirrors do not work! The only thing that works is all
+### nodes multimaster or a single master.
+###
+#######################################################################
+#
+# custom logic for couchdb json resolution
+# ============================================
+#
+# There are three modes for a node:
+#
+# Multimaster
+# -----------
+#
+# Multimaster uses bigcouch (soon to use couchdb in replication mode
+# similar to bigcouch).
+#
+# Use "multimaster" mode when:
+#
+# * multiple nodes are marked couch.master
+# * OR no nodes are marked couch.master
+#
+# Master
+# ------
+#
+# Master uses plain couchdb that is readable and writable.
+#
+# Use "master" mode when:
+#
+# * Exactly one node, this one, is marked as master.
+#
+# Mirror
+# ------
+#
+# Mirror creates a read-only copy of the database. It uses plain coucdhb
+# with legacy couchdb replication (http based).
+#
+# This does not currently work, because http replication can't handle
+# the number of user databases.
+#
+# Use "mirror" mode when:
+#
+# * some nodes are marked couch.master
+# * AND this node is not a master
+#
+
+master_count = nodes_like_me['services' => 'couchdb']['couch.master' => true].size
+
+if master_count == 0
+ apply_partial 'services/_couchdb_multimaster.json'
+elsif couch.master && master_count > 1
+ apply_partial 'services/_couchdb_multimaster.json'
+elsif couch.master && master_count == 1
+ apply_partial 'services/_couchdb_master.json'
+else
+ apply_partial 'services/_couchdb_mirror.json'
+end
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 03f6c6d1..c24724bf 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -12,11 +12,9 @@
},
"x509": {
"use": true,
+ "use_commercial": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
- "commercial_key": "= file [:commercial_key, domain.full_suffix]",
- "commercial_ca_cert": "= try_file :commercial_ca_cert"
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
}
}
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 731dee9a..11293ae8 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -1,9 +1,14 @@
{
"stunnel": {
- "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+ "clients": {
+ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+ }
},
"haproxy": {
- "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)"
+ "couch": {
+ "listen_port": 4096,
+ "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.clients.couch_client, global.services[:couchdb].couch.port)"
+ }
},
"couchdb_leap_mx_user": {
"username": "= global.services[:couchdb].couch.users[:leap_mx].username",
@@ -13,12 +18,10 @@
"mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
"x509": {
"use": true,
+ "use_commercial": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
- "commercial_key": "= file [:commercial_key, domain.full_suffix]",
- "commercial_ca_cert": "= try_file :commercial_ca_cert"
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
},
"service_type": "user_service"
}
diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json
new file mode 100644
index 00000000..979d0ef9
--- /dev/null
+++ b/provider_base/services/obfsproxy.json
@@ -0,0 +1,9 @@
+{
+ "obfsproxy": {
+ "scramblesuit": {
+ "password": "= base32_secret('scramblesuit_password_'+name)",
+ "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
+ },
+ "gateway_address": "= try{pick_node(:obfs_gateway,nodes_near_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')} || try{pick_node(:obfs_gateway,nodes_like_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')}"
+ }
+}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 090afcd6..1906244c 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -26,5 +26,12 @@
"keepalive": "10 30",
"tun-ipv6": true
}
+ },
+ "obfsproxy": {
+ "scramblesuit": {
+ "password": "= base32_secret('scramblesuit_password_'+name)",
+ "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
+ },
+ "gateway_address": "= openvpn.gateway_address"
}
}
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index bbb52094..3af0dade 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -13,6 +13,7 @@
"allow_limited_certs": "= provider.service.allow_limited_bandwidth",
"allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
"allow_anonymous_certs": "= provider.service.allow_anonymous",
+ "allow_registration": "= provider.service.allow_registration",
"default_service_level": "= provider.service.default_service_level",
"service_levels": "= provider.service.levels",
"secret_token": "= secret :webapp_secret_token",
@@ -26,13 +27,21 @@
"nagios_test_user": {
"username": "nagios_test",
"password": "= secret :nagios_test_password"
- }
+ },
+ "engines": [
+ "support"
+ ]
},
"stunnel": {
- "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+ "clients": {
+ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+ }
},
"haproxy": {
- "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)"
+ "couch": {
+ "listen_port": 4096,
+ "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.clients.couch_client, global.services[:couchdb].couch.port)"
+ }
},
"definition_files": {
"provider": "= file :provider_json_template",
@@ -59,11 +68,9 @@
},
"x509": {
"use": true,
+ "use_commercial": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
- "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "commercial_cert": "= file [:commercial_cert, webapp.domain]",
- "commercial_key": "= file [:commercial_key, webapp.domain]",
- "commercial_ca_cert": "= try_file :commercial_ca_cert"
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`.'",
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`.'"
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-02 19:38:54 +0000